Is there anyway to find the user idle time basing on the usage of access token and then allow/deny refresh token? For ex: assume token expiry is: 30 secs.
Scenario 1: Allow refresh token, if the user performs a transaction at 29 sec and would like to continue beyond token expiry. i.e idle time < token expiry time.
Scenario 2: Deny refresh token, user logs in but didn't perform any transaction until 31 sec. i.e idle time >= token expiry time.
not sure if i understand your question correctly - lets find out what options you have to find user idle time - maybe that will help to implement your flow
User_Idle_Time - to know the user idle time, you will need to know the user_last_access_time and you need to be able to track it
You have 2 options
1. If you are tracking the 'last_accessed_time' based on access tokens - you can use this policy to do that
http://docs.apigee.com/api-services/reference/set-oauth-v2-info-policy
2. If you want to track this across access tokens - that is based on 'refresh_tokens' you could use KeyValueMap to manage it
<Key=refresh_token>:<Value:<last_access_time>
Based on your usecase, you could one of the approach
Now that you can derive 'idle_time' from this information - you can enforce any kind of conditions/rules you need based on this
@Mukunda, does option 1 works on an expired token? I don't think so. Option 2 will work but brings in additional maintenance activities. What is the approach on cleaning up the expired/unused tokens from KVM?
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |